*New PCI Credit Card Compliance

[Waxman]

Got a packet in the mail last week. "Get PCI Compliant". Supposed to cover me somehow if a cc is stolen/misused/funds misapropriated via my wash and detail cc processing.

Why the heck should I have to pay $X amount per year to insure against some dirtbag stealing via cc's that are processed/batched?

Called my cc processing and they said "yeah, that is definitely something you should do.".

WHY? Why/not? Seems like another way for someone to get $X out of my small company per year for some guarantee against a possibly felony and I'd rather not be scammed under the guise of:"hope you don't get involved in a scam!".

TIA.

 

[pitzerwm]

The reason might be that there is a $25K fine if you allow a credit card info to fall into the wrong hands. And you are civilly liable to the victim.

When that came out a number of years ago, I had the secretary shred every last file that had CC info in it. "That makes it easier to process the bill each month" I don't care shred the card info.

Check with your insurance company, you probably already have this.

 

[Whale of a Wash]

I don't think the ACW stores numbers, if that's true it's a non issue.. I'd wait till your processor contacts you. They sound alot like the companies that call and want to send out free state bulletins for big money.

 

[RykoPro]

On July 1st 2010 you MUST be PCI compliant. The fine will be the least of your worries, as you will be 100% responsible for any breach in credit card security. Many processors will just cut you off if your equipment is not PCI compliant by the due date.

 

[RykoPro]

Q: To whom does PCI apply?
A: PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.
http://www.pcicomplianceguide.org/pcifaqs.php#2

 

[Waxman]

On July 1st 2010 you MUST be PCI compliant. The fine will be the least of your worries, as you will be 100% responsible for any breach in credit card security. Many processors will just cut you off if your equipment is not PCI compliant by the due date.

Then it should be the processor's responsibility to insure the equipment used is pci compliant.

 

[pitzerwm]

I don't think that it is insuring the equipment, its probably insuring you from liability.

 

[Waxman]

Honestly I find even this thread confusing, so I emailed my cc processing company's sales rep and am awaiting his reply. I will post his response to shed some light here.

 

[ScottV]

My credit card processor is Elavon. They sent me a letter stating that I had 90 days to become PCI compliant, or I would be subject to a $25 per month fee, per account. I tried using their online tool and cant make any sense out of the questions that they are asking.

I don't want to be disconnected on July 1st, 2010 (as RykoPro suggests) and I dont want to pay an additional $300 in fees each year per account. I guess I need to call their helpline and try to get an english speaking person to walk me through what is needed.

ScottV

 

[RykoPro]

They want YOUR equipment to be PCI compliant (reader and program that sends/stores the credit card information). It is a software and/or equipment upgrade at the point of sale. I doubt insurance would help being non compliant with your equipment, better to speak with your processor or equipment supplier.

 

[RykoPro]

From the link I posted:
Q: What are the penalties for noncompliance?
A: The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can catastrophic to a small business.
It is important to be familiar with your merchant account agreement, which should outline your exposure.

 

[pitzerwm]

Insurance only protects you if you have done what is required by law/provider

 

[Randy]

PCI compliance is nothing new. It started in 2004 when the banks and credit card companies decided that they needed to do something about the security issues and credit card fraud that were costing them tens of millions of dollars every year. The equipment manufactures of credit card equipment that accepts, transmits credit card information have had to design there software and processes to become PCI compliant. This has cost the equipment manufactures 100’s of thousands of dollars, I know of one company that spend almost 500k. As with everything stuff rolls down hill and the PCI Committee as made the end user or the merchant responsible for insuring that his equipment is PCI compliant. Go to this web site www.pcisecuritystandards.org/security_standards/vpa/ and all the information you need will there. There is a 12 question survey that you need to fill out and return back to your provider. Also some providers are charging a fee to check the security of your system, upwards of $300 a year. They are trying to recoup some of the funds they have had to spend. Also in the past most equipment manufactures have done the security software upgrades at no cost, this is about to change.

 

[Tom Thumb]

This item has been discussed several times in the past with no real answers but alot of different opinions, it appears we are at the hands of our merchant server on this issue.

I think it would be interesting to know who is PCI Security Standards Council, LLC??

Is this our goverment at work or just a politician making a few bucks on the side.?

 

[Happycarz]

B of A asked what kind of equipment I am using, during a compliance inquiry call. When I said WashGear, they said great and no more questions. They have verified the WashGear is already PCI compliant.

 

[washtubman]

We are also with Elavon and totally confused by their questions. Over 200 of them!! We did get past the part where they scan our IP address each month and so far that has passed; but, that does not make us PCI compliant. We have been paying the $25 dollars for 3 months now. No one seems to have any answers for this. I think they are making it that way to collect extra money.

 

[Waxman]

My company said to call the processor themselves and take their survey. I said no. I just switched last year and since then nothing has changed on my end so if I were pci compliant then I should still be now.

The fact that they are so quick to ask me to take the survey and not give any real answers at all when they are in the cc processing business doesn't seem right.

 

[PDQ Manufacturing]

I don't think the ACW stores numbers, if that's true it's a non issue.. I'd wait till your processor contacts you. They sound alot like the companies that call and want to send out free state bulletins for big money.

This statement isn't entirely accurate... just because a machine doesn't store credit card information (FYI to all, if your machine posts your cc transactions in "batches", it stores cc information) doesn't mean that PCI Compliance doesn't apply. The credit card information still has to be passed from the card reader to the credit card processor, which involves software in the machine at some point, whether it be the actual entry station software or the software built into the card reader. According to the PCI Security Council, PCI compliance is required for anyone that stores, processes or transmits credit card information.

My credit card processor is Elavon. They sent me a letter stating that I had 90 days to become PCI compliant, or I would be subject to a $25 per month fee, per account. I tried using their online tool and cant make any sense out of the questions that they are asking.

I don't want to be disconnected on July 1st, 2010 (as RykoPro suggests) and I dont want to pay an additional $300 in fees each year per account. I guess I need to call their helpline and try to get an english speaking person to walk me through what is needed.

ScottV

From the entry station perspective, as long as you're running a software version that is listed in PCI's validated payment applications list, your Access units are PA-DSS compliant. This obviously doesn't cover anything else at your locations that may touch a credit card, but if you only have Access units, you should be able to notify your merchant provider of the software version you're running on those units so that they can cross-reference them with the list of validated payment applications on PCI's website (https://www.pcisecuritystandards.org/security_standards/vpa/ as Randy pointed out in a previous post). If you need help with this, please give our Tech Services department a call and they can assist you.

My company said to call the processor themselves and take their survey. I said no. I just switched last year and since then nothing has changed on my end so if I were pci compliant then I should still be now.

The fact that they are so quick to ask me to take the survey and not give any real answers at all when they are in the cc processing business doesn't seem right.

You may be required to, at minimum, submit a Self Assessment Questionnaire (SAQ). An SAQ needs to be submitted on an annual basis attesting to the merchant provider that you are still in compliance with the standards.

 

[Waxman]

Finally resolved this.

I asked my processing agent to help me and he did. It took a couple tries asking him because he wanted me to jump through a few hoops and I said I was very busy so he finally handled the hoop-jumping.

He brought by forms for me to sign and prompted me to create a written policy for employees to sign regarding cc transactions (which I did).

Problem solved. Amount spent=$0.00 The waxman prevaileth.